Skip to content
Generates signature variations inside of a signed win32 pe file.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

PE certificate mutator


  1. Introduction
  2. Dependencies
  3. Artifacts
  4. Help Output
  5. Examples
  6. External Links


The pe certificate mutator is a python module that will generate new .exe files based on an existing .exe, with mutations to various fields associated with certificates in the file.


the pefile module is required to run this script. Otherwise, the script is capable of running on different platforms.


  • - script for modifying binary files.

Help output

usage: [-h] -b BINARY [-o OUTPUT] [-r REPLACE_SIGNATURE]
                    [-m MODES [MODES ...]] [-c COUNT] [-cmd RUN_CMD] [-rag]

optional arguments:
-h, --help            show this help message and exit
-b BINARY             Path to a binary file.
-o OUTPUT             Directory where permuted files are placed. Default is
                        the current directory.
-r REPLACE_SIGNATURE  Replace the authenticode signature in the binary
                        provided with -b with the signature from this file.
                        All subsequent mutations will be against the new
                        signature. Does not overwrite the existing binary, but
                        new mutations will include the new signature.
-m MODES [MODES ...]  Enable mutation of specific sections of the binary.
                        Not specifying this flag will enable all modes.
                        Supported modes include: security_data_directory,
                        attribute_certificate_table, bcertificate_random,
-c COUNT              For modes supporting random permutations, this will
                        control the number of distinct variants generated.
                        Default is 5. The amount of random data will increase
                        as the variants are generated.
-cmd RUN_CMD          This will result in the _run_all.bat script executing
                        this program and providing the mutated binary as
                        input, as opposed to running the mutated binary
-rag, --run-after-generation
                        This option will output, run, and delete each
                        executable variant as it is generated. Use this if the
                        creation of hundreds, thousands, or even more files on
                        the system is not desireable.
-f                    Forcefully overwrite any existing output artifact.


Display help output

python -h

Run all mutation modes against test.exe

python -b test.exe

Run a specific mutation against the binary

python -b test.exe -m attribute_certificate_table

External Links

H3Collective blog post

You can’t perform that action at this time.